Details

VuXML ID

3ff95dd3-c291-11df-b0dc-00215c6a37bb

Discovery

2010-09-13

Entry

2010-09-17

Django project reports:

The provided template tag for inserting the CSRF
token into forms -- {% csrf_token %} -- explicitly
trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the
value of the CSRF cookie can cause arbitrary content
to be inserted, unescaped, into the outgoing HTML of
the form, enabling cross-site scripting (XSS) attacks.